CVE-2024-53100
Severity CVSS v4.0:
Pending analysis
Type:
CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Publication date:
25/11/2024
Last modified:
03/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
nvme: tcp: avoid race between queue_lock lock and destroy<br />
<br />
Commit 76d54bf20cdc ("nvme-tcp: don&#39;t access released socket during<br />
error recovery") added a mutex_lock() call for the queue->queue_lock<br />
in nvme_tcp_get_address(). However, the mutex_lock() races with<br />
mutex_destroy() in nvme_tcp_free_queue(), and causes the WARN below.<br />
<br />
DEBUG_LOCKS_WARN_ON(lock->magic != lock)<br />
WARNING: CPU: 3 PID: 34077 at kernel/locking/mutex.c:587 __mutex_lock+0xcf0/0x1220<br />
Modules linked in: nvmet_tcp nvmet nvme_tcp nvme_fabrics iw_cm ib_cm ib_core pktcdvd nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables qrtr sunrpc ppdev 9pnet_virtio 9pnet pcspkr netfs parport_pc parport e1000 i2c_piix4 i2c_smbus loop fuse nfnetlink zram bochs drm_vram_helper drm_ttm_helper ttm drm_kms_helper xfs drm sym53c8xx floppy nvme scsi_transport_spi nvme_core nvme_auth serio_raw ata_generic pata_acpi dm_multipath qemu_fw_cfg [last unloaded: ib_uverbs]<br />
CPU: 3 UID: 0 PID: 34077 Comm: udisksd Not tainted 6.11.0-rc7 #319<br />
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014<br />
RIP: 0010:__mutex_lock+0xcf0/0x1220<br />
Code: 08 84 d2 0f 85 c8 04 00 00 8b 15 ef b6 c8 01 85 d2 0f 85 78 f4 ff ff 48 c7 c6 20 93 ee af 48 c7 c7 60 91 ee af e8 f0 a7 6d fd 0b e9 5e f4 ff ff 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1<br />
RSP: 0018:ffff88811305f760 EFLAGS: 00010286<br />
RAX: 0000000000000000 RBX: ffff88812c652058 RCX: 0000000000000000<br />
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000001<br />
RBP: ffff88811305f8b0 R08: 0000000000000001 R09: ffffed1075c36341<br />
R10: ffff8883ae1b1a0b R11: 0000000000010498 R12: 0000000000000000<br />
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88812c652058<br />
FS: 00007f9713ae4980(0000) GS:ffff8883ae180000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 00007fcd78483c7c CR3: 0000000122c38000 CR4: 00000000000006f0<br />
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br />
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br />
Call Trace:<br />
<br />
? __warn.cold+0x5b/0x1af<br />
? __mutex_lock+0xcf0/0x1220<br />
? report_bug+0x1ec/0x390<br />
? handle_bug+0x3c/0x80<br />
? exc_invalid_op+0x13/0x40<br />
? asm_exc_invalid_op+0x16/0x20<br />
? __mutex_lock+0xcf0/0x1220<br />
? nvme_tcp_get_address+0xc2/0x1e0 [nvme_tcp]<br />
? __pfx___mutex_lock+0x10/0x10<br />
? __lock_acquire+0xd6a/0x59e0<br />
? nvme_tcp_get_address+0xc2/0x1e0 [nvme_tcp]<br />
nvme_tcp_get_address+0xc2/0x1e0 [nvme_tcp]<br />
? __pfx_nvme_tcp_get_address+0x10/0x10 [nvme_tcp]<br />
nvme_sysfs_show_address+0x81/0xc0 [nvme_core]<br />
dev_attr_show+0x42/0x80<br />
? __asan_memset+0x1f/0x40<br />
sysfs_kf_seq_show+0x1f0/0x370<br />
seq_read_iter+0x2cb/0x1130<br />
? rw_verify_area+0x3b1/0x590<br />
? __mutex_lock+0x433/0x1220<br />
vfs_read+0x6a6/0xa20<br />
? lockdep_hardirqs_on+0x78/0x100<br />
? __pfx_vfs_read+0x10/0x10<br />
ksys_read+0xf7/0x1d0<br />
? __pfx_ksys_read+0x10/0x10<br />
? __x64_sys_openat+0x105/0x1d0<br />
do_syscall_64+0x93/0x180<br />
? lockdep_hardirqs_on_prepare+0x16d/0x400<br />
? do_syscall_64+0x9f/0x180<br />
? lockdep_hardirqs_on+0x78/0x100<br />
? do_syscall_64+0x9f/0x180<br />
? __pfx_ksys_read+0x10/0x10<br />
? lockdep_hardirqs_on_prepare+0x16d/0x400<br />
? do_syscall_64+0x9f/0x180<br />
? lockdep_hardirqs_on+0x78/0x100<br />
? do_syscall_64+0x9f/0x180<br />
? lockdep_hardirqs_on_prepare+0x16d/0x400<br />
? do_syscall_64+0x9f/0x180<br />
? lockdep_hardirqs_on+0x78/0x100<br />
? do_syscall_64+0x9f/0x180<br />
? lockdep_hardirqs_on_prepare+0x16d/0x400<br />
? do_syscall_64+0x9f/0x180<br />
? lockdep_hardirqs_on+0x78/0x100<br />
? do_syscall_64+0x9f/0x180<br />
? lockdep_hardirqs_on_prepare+0x16d/0x400<br />
? do_syscall_64+0x9f/0x180<br />
? lockdep_hardirqs_on+0x78/0x100<br />
? do_syscall_64+0x9f/0x180<br />
? do_syscall_64+0x9f/0x180<br />
entry_SYSCALL_64_after_hwframe+0x76/0x7e<br />
RIP: 0033:0x7f9713f55cfa<br />
Code: 55 48 89 e5 48 83 ec 20 48 89 55 e8 48 89 75 f0 89 7d f8 e8 e8 74 f8 ff 48 8b 55 e8 48 8b 75 f0 4<br />
---truncated---
Impact
Base Score 3.x
4.70
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.1.118 (excluding) | |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.62 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.11.9 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/4f946479b326a3cbb193f2b8368aed9269514c35
- https://git.kernel.org/stable/c/782373ba27660ba7d330208cf5509ece6feb4545
- https://git.kernel.org/stable/c/975cb1d2121511584695d0e47fdb90e6782da007
- https://git.kernel.org/stable/c/e15cebc1b21856944b387f4abd03b66bd3d4f027
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html